Detecting the information security anomalies based on an entropy analysis of the information system

Authors

DOI:

https://doi.org/10.31548/energiya2022.01.072

Abstract

Measures to protect against cyberattacks are unable to provide a 100% guarantee that an attacker cannot penetrate an information system. If an attacker has gained access to the system, then such actions should be detected as soon as possible and interrupt access, as well as an investigation to fix security gaps. Methods used to detect attacks are divided into detecting misuse and detecting anomalies. This paper investigates the applicability of a frequency method that detects anomalies in the system by analyzing the entropy of the event log. This method is typically used to detect anomalies in network traffic, and unauthorized activities can also be indicated by anomalies in the hosts' event log. Studies on the Windows event log have shown that by analyzing the entropy, it is possible to detect exceeding the security thresholds by the number of different messages in the event log. This may indicate anomalies in the operation of the information system. The proposed method can be integrated into intrusion detection systems that notify the security administrator of possible violations.

Key words: entropy, anomalies, event log, information security

References

Smith, Z. M., Lostri, E., Lewis, J. A. (2020). The Hidden Costs of Cybercrime. McAfee. Available at: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf

Kolodchak, O. (2012). Suchasni metody vyiavlennia anomalii v systemakh vyiavlennia vtorhnen. [Modern methods of detecting anomalies in intrusion detection systems]. Visnyk Natsionalnoho un-tu «Lvivska politekhnika». Komp’iuterni systemy ta merezhi, 745, 98–104. Available at: https://science.lpnu.ua/sites/default/files/journal-paper/2017/nov/6726/16-98-104.pdf

Kazmirchuk, S. V., Korchenko, A. O., Parashchuk, T. I. (2018). Analiz system vyiavlennia vtorhnen [Analysis of intrusion detection systems]. Ukrainian Information Security Research Journal, 20(4). Available at: https://doi.org/10.18372/2410-7840.20.13425

Ruban, I. V., Martovytskyi, V. O., Partyka, S. O. (2016). Klasyfikatsiia metodiv vyiavlennia anomalii v informatsiinykh systemakh [Classification of methods for detecting anomalies in information systems]. Systemy ozbroiennia i viiskova tekhnika, (3), 100-105. Available at: http://nbuv.gov.ua/UJRN/soivt_2016_3_24

Radivilova, T., Kirichenko, L., Tawalbeh, M., Ilkov, A. (2021). Vyiavlennia anomalii v telekomunikatsiinomu trafiku statystychnymy metodamy [Detection of anomalies in the telecommunications traffic by statistical methods]. Cybersecurity: Education, Science, Technique, 11(3), 183–194. Available at: https://doi.org/10.28925/2663-4023.2021.11.183194

Gu, Y., McCallum, A., Towsley, D. (2005). Detecting anomalies in network traffic using maximum entropy estimation. In the 5th ACM SIGCOMM conference. ACM Press. Available at: https://doi.org/10.1145/1330107.1330148

Zhurakovskyi, Y. P., Poltorak, V. P. (2001). Teoriia informatsii ta koduvannia [Information theory and coding]. Kyiv: Vyshcha shkola, 255.

Gudkov, O. (2012), Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection. IT Security for the Next Generation. International Round, Delft University of Technology, May 11–13, 2012.

Downloads

Published

2022-06-06

Issue

No. 1 (2022)

Section

Статті

License

Relationship between right holders and users shall be governed by the terms of the license Creative Commons  Attribution – non-commercial – Distribution On Same Conditions 4.0 international (CC BY-NC-SA 4.0):https://creativecommons.org/licenses/by-nc-sa/4.0/deed.uk

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).